NIST Guidance Seen Saving Government Millions

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

By that same token it also allows us to focus on continuous monitoring after we have made the initial authorizational risk acceptance decision and that is really where the action is today. Continuous monitoring is critical and making sure we understand on an ongoing basis the security state of our systems, not just every three years or every six months, but on a day-by-day, hour-by-hour basis. That is the up tempo that our adversaries are working in today is they launched these very sophisticated cyber attacks against our critical systems.

CHABROW What happens next in getting agencies to follow this guidance?

ROSS: As with all of our publications as they are updated, agencies have one year for their legacy systems to implement the new guidance. For any systems that are brand new, they are currently going through a life cycle development; they will be expected to comply with the new guidance as that system gets fielded. That policy has already been established by OMB (Office of Management and Budget) and continues to be carried out through our guidance. So there will be a transition period with all of these new publications as agencies start to adopt the new guidance.

CHABROW You issued a draft of this revision last fall, is there anything new in this final revision that was implemented since the draft was issued?

ROSS: Yes. There are a couple of new things in here that I think our customers are going to be very excited to see. We start to address something that has been going on for a long time. Service oriented architectures and cloud computing are examples of what we characterize as dynamic subsystems within the new 800-37.

This is kind of an acknowledgement that our classic information system boundary, which for years and years we viewed as being kind of a static boundary, that boundary now become more porous; as we start to use external services and we start to build service oriented architectures, sometimes the components of your system are not there all of the time, they get brought in on an on demand basis, and we start to address dynamic subsystems in the new 800-37 by talking about how do we make sure that those services that are being provided wherever they emanate from have some standard of security due diligence applied to them, too. So you can make certain assumptions and you can establish certain constraints on how those services are used and how they impact other operating parts of your system that you are using to carry out your core missions.

The other very important thing we have added to Appendix F, we have extended the types of authorization approaches that an organization can use. The traditional approach has a single, authorizing official or if you are in the DOD they call them Designated Approving Authorities. The traditional approach has a single authorizing official in making a single authorization decision for each of the system We have added two new approaches.

One is called a joint authorization where you can have multiple authorizing officials working together going through all of the steps in the risk management framework to include defining requirements all the way through implementation, and then together making a collective, a joint authorization decision. This could be a situation where for example you might have several federal agencies that are considering using an external service or an external service provider and they want to be involved all the way through the process to make sure everything that is important to them as an organization to support their missions are reflected in that authorization process as they apply the risk management framework.

The second new type that is now the third type of authorization is called a leveraged authorization. This again is going to apply probably on a pretty big way with some of the new paradigms out there like cloud computing. So whoever's authorization would be something along the lines that a federal agencies, for example the GSA, may go out and accredit or authorize cloud providers information systems and then after they have gone through that authorization process there may be a string of other federal agencies that decide somewhere down the line, after that authorization is completed, that they also want to use that cloud providers services. But instead of having to go back and having each of those agencies do a complete reauthorization for their own purposes, they can now use the documentation and evidence used as part of that first agency's authorization, and they can use that as the basis of their risk decision.